@bleader just checked the Excel assessment file I got from the security team. They used Crowdstrike (sensor is not installed on xcp-ng hosts).
The funny thing is, the asset that it reports as vulnerable is the VM that is running XOA (official image provided by XCP-NG). It is deployed recently, so everything is up-to-date, but even then I don't understand how it reports the XOA VM as the one containing the vulnerabilities.